Security issue in Facebook, Dropbox iOS apps requires physical access

A newly discovered security flaw in the Facebook and Dropbox applications for iOS could lead to identity theft, but only if a malicious user were to physically get their hands on an iPhone or iPad.

Earlier this week, developer Gareth Wright discovered the flaw in Facebook's official, free software available on the iOS App Store. He was able to install his personal "plist" file from the social networking application on four different devices without warning.

After discovering the issue, Wright contacted Facebook's security team, and they confirmed they they are "working to fix it." No timetable was given for the fix.

The same issue was also discovered in the official iOS Dropbox application by The Next Web. Both applications store personal information in plain text, rather than encrypting or packaging it, leaving personal information accessible to malicious users  but only if they are able to obtain the physical device that holds the data.

The data can even be obtained from Apple's latest devices, including the third-generation iPad, and it can be extracted without "jailbreaking" the device, or hacking Apple's iOS mobile operating system.

In other words, there is currently no current risk with the security flaw for users who keep their iPhone or iPad in their possession. The newly discovered issue mostly applies to those who may have lost their device or had it stolen.

In a statement, Dropbox said it is currently updating its iOS application to store its access tokens in a "protected location," like the service's Android application already does.

"We note the attack in question requires a malicious actor to have physical access to a user's device," they noted. "In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices."

1) This isn't good. I don't care if it's because of sloppy coding on the part of FB and Dropbox devs because they didn't follow Apple's guidelines, I do expect that Apple's venting process can look at a plain text PLIST file for passwords and other sensitive data.

2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.
https://agilebits.com/onepassword

1)
2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.
https://agilebits.com/onepassword

I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.

I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.

Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.

Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.

Yes, that's how I do it, too. I was hoping you had discovered that the in app browser was awesome. A real shame it can't work like the OSX version. I read the reason at some point and concluded that I had to live with clunky.

Failure to provide physical security does not equal flaws in software or OS security.

They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.